Advanced Feature Extraction and Selection Approach Using Deep Learning and Aquila Optimizer for IoT Intrusion Detection System

Developing cyber security is very necessary and has attracted considerable attention from academy and industry organizations worldwide. It is also very necessary to provide sustainable computing for the the Internet of Things (IoT). Machine learning techniques play a vital role in the cybersecurity of the IoT for intrusion detection and malicious identification. Thus, in this study, we develop new feature extraction and selection methods and for the IDS system using the advantages of the swarm intelligence (SI) algorithms. We design a feature extraction mechanism depending on the conventional neural networks (CNN). After that, we present an alternative feature selection (FS) approach using the recently developed SI algorithm, Aquila optimizer (AQU). Moreover, to assess the quality of the developed IDS approach, four well-known public datasets, CIC2017, NSL-KDD, BoT-IoT, and KDD99, were used. We also considered extensive comparisons to other optimization methods to verify the competitive performance of the developed method. The results show the high performance of the developed approach using different evaluation indicators.


Introduction
Internet applications help people and society in many fields, including teaching, electronic commerce (EC), electronic learning, entertainment, electronic communication, and others [1]. Along with these applications, cybersecurity issues have been raised due to the vulnerability of the internet applications due to the wide expansion of the networks and the massive emergence of malicious intrusion [1]. Therefore, building security systems is very necessary, and many industrial and academic organizations have developed different systems and solutions. Intrusion detection systems (IDS) are very important for the cybersecurity of the internet of things (IoT) architecture, including also cloud and fog computing.

1.
Using the combination of deep learning and Aquila optimizer (AQU) to enhance IoT security.

2.
A feature extractor technique based on CNN is applied to extract relevant features from the datasets, 3.
A binary version of the Aquila optimizer is adopted as an FS technique that is used to select optimal features and enhance the classification accuracy.

4.
Extensive evaluation is carried out with four public datasets and extensive comparisons to other methods to confirm the quality of the developed approach.
The remaining parts of this paper are presented as: Section 2 summarizes several related studies presented in recent years. The basics of the used methods are described in Section 3, whereas the presented IoT approach is introduced in Section 4. Moreover, the evaluation experiments and results outcomes are described in Section 5. Section 6 presents the conclusion and future work.

Related Works
In this section, we summarize a number of previous approaches proposed for IDS in IoT and cloud. Shafiq et al. [27] presented an efficient feature selection technique for IoT malicious traffic identification using the Bot-IoT dataset. They used the objective soft set for feature extraction, and they developed a new feature selection method called, Cor-rACC. Haddadpajouh et al. [28] applied gray wolves optimization (GWO) to improve the multi-kernel SVM for IoT cloud-edge gateway malware detection. GWO is utilized as an FS method which enhanced the classification accuracy. It was evaluated and compared to previous methods, and it reached good results. A wrapper-based FS method called, CorrAUC was developed by [29] for malicious traffic detection for IoT environments, using Bot-IoT datasets. This method was tested with four machine learning algorithms, and it showed significant performance in reducing feature seize and boosting classification accuracy. Davahli et al. [30] presented a hybrid FS technique using GWO and GA algorithms. This method was employed with the SVM classifier to detect anomalies in wireless sensor networks (WSNs). Mafarja et al. [31] developed a new wrapper feature selection method using an augmented Whale Optimization Algorithm (WOA) for IoT attacks identification. The augmented WOA was employed to handle the high dimensionality of the datasets and to enhance the classification accuracy. They used two transfer functions, S-shaped and V-shaped, into the WOA to boost its performance. The enhanced WOA showed better performance compared to the traditional WOA. Sekhar et al. [32] developed an IDS approach based on Fruitfly optimization with deep Autoencoder. They used fuzzy C-Means rough parameters for data processing to deal with the missing data from the used datasets. After that, the robust features can be extracted from Autoencoder with multi-hidden layers. Then, the extracted features are fed to the BPN (Back Propagation Neural Network) for attacks classification. The Fruitfly optimization algorithm is used to optimize the neurons in the Deep Autoencoder hidden layers. This method was evaluated with UNSW-NB15 and NSL-KDD datasets, and it showed competitive performance. Dwivedi [33] presented an alternative FS approach depending on the grasshopper optimization algorithm (GOA) for IDS. The main goal of this approach is to integrate GOA with the integration of ensemble feature selection (EFS) and creating a new method called EFSGOA. The EFS is used to rank the features to select the relevant features, and then the GOA is used for identifying the significant features. This approach was tested with KDD Cup 99 and NSL-KDD datasets, and it obtained high accuracy rates. Kan et al. [34] used the adaptive PSO and CNN for IDS in the IoT network. In this method, APSO-CNN is working by optimizing one-dimensional CNN structure parameters using the PSO algorithm. It was tested with comparison to other CNN-based methods, and the outcomes showed that the application of PSO has a significant impact on the performance of the CNN. The PSO was also adopted in other IDS systems, such as [35][36][37][38].

Background Aquila Optimizer (AQU)
This section introduces the basic formulation of the Aquila Optimizer (AQU) [23]. In general, the AQU algorithm mimics Aquila's social behavior in order to catch its prey. AQU is a population-based optimization technique, similar to other metaheuristic (MH) techniques, that begins by forming an initial population X with N agents. The following equation was used to carry out this procedure.
In Equation (1), UB j and LB j represent limits of the search space. r 1 ∈ [0, 1] denotes a random value and Dim is the dimension of agent.
The AQU technique's next step is to do either exploration or exploitation until the best solution is found. There are two ways for exploration and exploitation, according to [23].
The best agent X b and the average of agents (X M ) are employed in the exploration, and its mathematical formulation is given as: The search during the exploration phase is controlled by 1−t T in Equation (2). The maximum number of generations is denoted by T.
The exploration phase employs the Levy flight (Levy(D) distribution and X b to update the solutions, and this is represented as: In Equation (5), s = 0.01 and β = 1.5. u and υ denotes the random values. X R stands for randomly chosen agent. In addition, y and x stands for two parameters used to simulate the spiral shape: In Equation (7), ω = 0.005 and U = 0.00565. r 1 ∈ [0, 20] refers to a random value.
The first technique used in [23] to enhance the agents in the exploitation phase depends on X b and X M , similar to exploration, and it is formulated as: In Equation (8), UB = (UB − LB), α and δ stands for the exploitation adjustment parameters. rnd ∈ [0, 1] is random value.
The agent can be updated using X b , Levy, and the quality function QF in the second exploitation strategy. This strategy's mathematical definition is as follows: In addition, G 1 stands for the motions used to track the optimal individual solution, as seen in the following equation: In Equation (11), rnd is a random value. Moreover, G 2 stands for parameter which decreasing from 2 to 0, and it is updated as: Figure 1 depicts the structure of an IDS security scheme for IoT systems. The suggested system is divided into two phases: a feature extraction phase using an efficient CNN based method and a feature selection phase based on the developed AQU algorithm. The presented AQU is based on improving the behavior of classical AQU to make it suitable for the FS problem by implementing its binary version. In the following sections, a description of each stage of the developed IoT security model is given.

Representation of Collect IoT Dataset
The fundamental representation of IoT traffic data that will be employed as input to the next stage of the proposed approach is presented in this section. Consider TS, which is a sample of IoT traffic and is written as: In Equation (15), TS i denotes the ith set of features of traffic (i.e., [t f 11 , t f 12 m . . . , t f 1d ]). d and n are the number of features and samples respectively. Thereafter, the dataset is normalized based on the min − max approach that defined: where t f ij stands for the jth feature of sample i. Therefore, the normalization of TS is formulated as: The next step is to extract the feature using DL model from NTS. The following process of extracting the feature using DL is given in the following section.

Convolutional Neural Network for Feature Extraction
Convolutional neural networks are well-known deep learning (DL) models applied to solve different problems in image classification, text classification, speech recognition, and object detection. CNN's are commonly used in computer vision problems. However, CNN's can be extended and employed in research fields tackling natural language processing [39][40][41], image processing [42,43], green computing [44,45], remote sensing [46,47], and others [48]. Unlike traditional machine learning algorithms that rely on handcrafted feature extraction, CNNs can automatically learn and represent complex features. Meanwhile, CNN's based models can vary in terms of the type and number of convolution layers, kernel size and its initialization technique, pooling operation, and the fully connected layers.
At this stage, the main objective is to learn meaningful representations from the raw data, which helps maximize the overall framework's recognition accuracy. After the learning phase using the CNN model, the feature selection algorithm is used to filter the extracted features by selecting the most important features only that maximize the classification accuracy. The CNNs are characterized by a core ability that shares weights between multiple layers to minimize the model complexity [49]. The proposed CNN architecture is illustrated in Figure 2, and it is composed of the following layers: (2) Convolutional layers (Conv), (2) Pooling layers, and (4) Fully connected layers (FC). The full network can be summarized as (Conv1 Conv1 is the first convolutional layer with 64 filters, kernel of size 3, stride of size 1. Conv1 uses the rectified linear unit (ReLU) [50] as a non-linear function followed by a dropout regularization with a rate equal to 0.5 and a max-pooling operation of size 2, (2) Conv2 is the second convolutional layer similar to Conv1 with the only difference is the usage of an adaptive average pooling layer [51] instead of max-pooling, (3) FC1, FC2, and FC3 are fully connected layer having 128, 128 and 64 neurons, respectively. FC1, FC2, and FC3 are used as feature extraction layers to output the learned features from the raw input, (4) BN stands for batch normalization operation, and (4) FC4 is the final FC layer to output the classification predictions. The network uses a 1D convolution operation in each convolution layer to learn the raw data activation maps after applying a fixed kernel of size 1 × 3 and then uses a maxpooling operation to extract the most relevant features. The convolution operation can be represented as: where x l−1 j is the output activation map of the previous layer l − 1. k l ij represents the kernel weights while b l j represents the bias value. To learn complex feature representations from the input data, a non-linear function is applied in the convolution operation, which can be defined as in the following equation: where the l and j stands for the l layer and the j channel, respectively. The x l j is the activation map extracted from the l layer. The ReLU function is introduced in Equation (18).
The final feature representation of each input sample is obtained after pooling together the generated activation maps. Two types of pooling operations have been employed in this architecture to extract the most relevant features and down-sampling the features space and learning parameters which helps the model train faster.
The final output from Conv2 is fed to a series of fully connected layers where FC3 is used to extract the features (input samples embeddings). The final output from FC3 is fed to FC4 which output the classification results. FC4 applies a Softmax function to generate the probabilities of an input sample to belong to a specific class. Batch normalization (BN) and dropout regularization techniques are used to overcome the network over-fitting and improve the training speed and convergence.

Feature Selection
The steps of the presented FS model (as in Figure 3) that are used to enhance the security in IoT environment are discussed in this section. In general, the main objective of these steps is to determine the important features that are chosen based on their quality. This is accomplished by the usage of a binary version of AQU. The presented FS approach, named AQU, begins by creating X initial population of N agents; after that, reducing the training data by selecting only the features that correspond to ones in the Boolean version of the current solution. The efficiency of the determined feature is then calculated using the KNN classifier's error classification. Following that, the best agent with the smallest fitness value is assigned. The agents in the current population are updated based on this best agent and the AQU until they find the best solution.

Generation Initial Population
The presented AQU begins by splitting the tested benchmark data into 80% and 20% training and testing sets, respectively. The beginning population X that consists of N solutions is formed using Equation (19).
In Equation (19), D stands for the number of features. rand(1, D) represents a random vector with D values. LB and UB stand for the boundaries of the search space.

Updating Population
This stage starts with Equation (20) turning X i , i = 1, 2, . . . , N into its Boolean value BX i .
Based on the output of Equation (20), the number of feature selection is reduced by ignoring the irrelevant features that corresponding zeros value in BX i . Then the fitness value is computed using Equation (21).
where λ ∈ [0, 1] stands for the weights applied to control the balancing between the ratio of relevant features ( |BX i | D ) and error of classification γ i . In this study, the γ i is computed based on the KNN classifier using the training set.
Thereafter, the best Fit and its corresponding agent X b (i.e., the best one) are determined. Then update the current agents with operators of AQU as discussed in Section 4.

Terminal Criteria
The stopping conditions are reviewed at this stage, and the updated stage is conducted again when these conditions are not met. Otherwise, the learning process is terminated, and X b using as the output that is utilized to minimize the testing set in the next stage.

Validation Stage
To evaluate the presented AQU's efficiency as an FS approach, the features of the testing set are reduced based on the binary of X b . Then several performance measures based on the decreased features are employed to compute the quality of the classification process. Algorithm 1 presents the whole description of the presented IoT technique to identify the intrusion.  (14) to normalize the collected IoT data. 3: Using proposed CNN technique to extract the features (as in Section 4.2). 4: After extracting the features, divide the data into training and testing sets. 5: Use Equation (19) to generate population X. 6: Put t= 1. 7: while t <= T do 8: Apply Equation (20) to generate the Binary version of X i . 9: Use Equation (21) to calculate the fitness value Fit i for X i . 10: Find the best agent X b .

11:
Enhance X i as in Equations (2)-(9) 12: t=t+1. 13: end while 14: Remove irrelevant features from testing set that corresponding to zeros in X b . 15: Output: Consider X b as output and the evaluate the performance.

Experiment Results and Discussion
In this section, the quality of the developed IoT security technique is evaluated using a set of different datasets.

Performance Measures
In this study, we used a set of performance metrics to compute the efficiency of the developed IoT security method. These measures defined using the concept of confusion matrix (as in Table 1). These measure are given in the following.
Acc Best = TP + TN TP + FN + FP + TN in which N r = 30 refers to the iteration number(number of runs). • Average Recall (AV Sens ): (AV Sens ) or true positive rate (TPR), represents the percentage of predicting positive intrusion. It can be computed as: • Average Precision (AV Prec ): this illustrates the percentage of true positive cases among all the the positive cases. The (AV Prec ) can be calculated as: • Performance Improvement Rate (PIR): This measure is applied to estimate the improvement rates obtained by the proposed technique. it can be computed as: where M AQU and M Alg refer to the value of measure (i.e., Precision, Accuracy, Recall, and F1-measure) of the proposed AQU and other algorithms, respectively.

Experimental Setup
In our experiments, Adam [52] optimizer is used to update the CNN model weights using a 0.005 learning rate. The CNN model was trained for 100 epochs using a 2024 batch size. Concerning the feature selection phase, we compared the proposed FS algorithm named AQU with existing MH techniques in the literature. The MH algorithms selected for comparison including Firefly algorithm (FFA) [53], particle swarm optimization (PSO) [54], whale optimization algorithm (WOA) [55], moth flame optimization (MFO) [56], traditional TSO, multiverse optimization algorithm (MVO) [57], Bat algorithm [58], and Grey wolf optimizer (GWO) [59]. Furthermore, we used the above mentioned MH algorithms with their default parameters based on the original implementation.

Dataset Description
In this section, we will illustrate in details the source and statistics of the datasets used to validate the proposed framework for the network intrusion detection task. We used four datasets, including KDDCup-99, and its refined version named NSL-KDD, Industrial IoT (IIoT) traffic data named BoT-IoT, and CICIDS-2017. The task is to detect network intrusions based on the extracted features using the CNN model as either intrusion, normal, or the attack type. The datasets are described in the following paragraphs.

1.
KDDCup-99 and NSL-KDD: The two datasets are described in Figure 4 with their detailed statistics. The first dataset is KDDCup-99, collected from the DARPA intrusion detection challenge (1998), incorporating 100's users after monitoring the network traffic on 1000's machines using UNIX operating system. The challenge period lasts for ten weeks by the MIT Lincon laboratory to store the collected traffic data in TCP dump format. Our experiments used 10% of the collected traffic data to build the KDDCup-99 dataset, which contains five attack types and 41 features. The KDDCup-99 dataset features are classified into three categories, including basic, content, and time-based traffic features. The second dataset is NSL-KDD, a derived copy from the full KDDCup-99 dataset after performing deduplication of the duplicated traffic records.

2.
BoT-IoT: the Bot-IoT dataset [60] was collected in The center of UNSW Canberra Cyber using smart home appliances in a laboratory environment (the Cyber Range Lab). The dataset contains Industrial IoT (IIoT) traffic samples collected for IIoT experiments. The smart home appliances include weather monitoring systems, thermostats, kitchen appliances, and freezers and motion-controlled lights to record the traffic data. In our experiments, we used the 5% of the full Bot-IoT dataset, which consists of 3.6 million records, where the full dataset contains over 72 million records. The 5% of the entire dataset contains the best ten features extracted from the raw data and categorized into five main classes as described in Figure 5. 3.

CICIDS-2017:
The CICIDS-2017 [61] dataset is a collection of network traffic samples collected in CIC (The Canadian Institute for Cybersecurity at the University of New Brunswick.) for the intrusion detection task. The dataset consists of more than 1.5M PCAPs data simulating traffic data transferred in real-world using the CICFlowMeter software after analyzing 25 user behaviors covering various network protocols such as HTTP and SSH protocols. The collected data were categorized into eight main attack classes as described in Figure 6. Our experiments used the following collected CSV files: Tuesday-working hours, Friday-WorkingHours-Afternoon-PortScan, Friday-WorkingHours-Afternoon-DDos, and Thursday-WorkingHours-Morning-WebAttacks.

Results and Discussion
The findings of the comparison between the proposed AQU and the other MH approaches are discussed in this section. The average of the employed measures for all compared algorithms are shown in Tables 2 and 3. For the multi-classification of the BoT-IoT, as shown in Table 2, the performance of most optimization approaches is practically similar during the training period. On the other hand, AQU, delivers excellent perfor-mance metrics. Furthermore, the developed AQU has the highest accuracy, specificity, and sensitivity, as well as the best F1-measure. For the binary case of Bot-IoT, the AQU has better results in both the training and testing sets. Moreover, the PIR of the proposed AQU method and other optimization approaches is depicted in Figure 7a Also, Table 2 and Figure 7c,d show the comparison results between the AQU and the compared algorithms using the NSL-KDD dataset; These results demonstrate the high performance of the proposed AQU over all compared approaches for both multi and binary classifications. As can be shown from performance measurements and the testing set results, the developed AQU behaves better in the learning phase than compared approaches. Furthermore, the developed AQU outperforms MVO with a difference of about 1.024%, and outperforms PSO with a difference of approximately 13.039%. The developed AQU outperforms existing models according to the value of recall, precision, and F-measure, with differences ranging from 2.75%, 6.85%, and 2.310% to 10.61%, 15.67%, 13.49% respectively.   (Figure 7f), respectively. We can see that for the multi-classification, the proposed AQU outperforms other approaches in the training stage. However, the BAT and FFA produce higher F1-measure and Precision values than other models. While AQU still outperforms MVO according to the value of accuracy, and there is only a 0.4 difference between the two. Furthermore, the advantage of AQU over binary KDDCup-99 can be seen in the comparison findings for all evaluation indicators. It achieved the best results using both training and testing datasets. Figure 8 shows the average of outcomes of all testing datasets for each algorithm. It can be seen that the AQU has a great ability to improve intrusion detection in both multi and binary classification instances. In addition, the results of the competitive algorithms in case of CICIDS-2017 dataset are given in Tables 2 and 3. It can be observed that the proposed AQU obtained the best results, especially in the multi-classification. Moreover, by comparing the results of AQU with the other model in FS case, it can be noticed that its PIR of accuracy variant from 0.260 to 0.590. However, the PIR of recall, Precision, and F1-Measure is 0.210 to 0.590, 0.212 to 0.580, and 0.210 to 0.570. The same observation can be reached from Figure 7g,h that illustrate the PIR for each algorithm using CICIDS-2017 dataset. Figure 9 depicts the confusion matrix of developed method over the tested datasets. The Friedman test [62] is used to assess if there are significant differences between the presented technique and others to further analyze the results. There are two hypotheses in this test: the first, known as the null hypothesis, supposes that there are no differences between the compared algorithms and is accepted the case of the p-value ≥ 0.05. Otherwise, the alternative hypothesis (second one) is adopted which assume a considerable difference in techniques. In the two cases, Table 4 displays the mean rank of each algorithm for the four datasets (i.e., binary and multi-classifications). The proposed AQU obtained the highest mean rank for all applied performance indicators in both scenarios of multi-classification, as can be seen from the results. There is also a substantial distinction between AQU and other approaches.

Conclusions
In this paper, a new approach was proposed for the internet of things (IoT) intrusion detection system (IDS). We leveraged the advances of swarm intelligence (SI) and deep learning techniques. The proposed approach works as follows. First, a designed conventional neural network (CNN) based feature extraction method was applied to obtain the related features from the input datasets. Second, a new variant of the recently developed Aquila optimizer (AQU) was used to select appropriate features and to reduce data dimensionality. The main idea of the developed AQU is to use its binary version to overcome the limitations of the traditional AQU algorithm. To evaluate the developed approach, we used four well-known public datasets, namely, CIC2017, NSL-KDD, BoT-IoT, and KDD99. Moreover, extensive comparisons were carried out with several optimization algorithms, such as WOA, BAT, TSO, GWO, FFA, MVO, and MFO, using several evaluation measures, such as precision, recall, and F1-Measure. The outcomes have confirmed the superiority of the developed AQU against all compared methods. There are still some limitations in the developed method, such as AQU, which can be addressed in future work. Moreover, different swarm intelligence methods will be considered with different deep learning architectures for IDS in the IoT environment.